FICA Compliance South Africa 2026: What It Is, Who Must Comply, and What You Must Do

FICA is one of the most frequently confused compliance obligations in South Africa. Many business owners have heard the term — usually because their bank asked for FICA documents — but do not understand what the law actually requires of their own business.

The two concepts need to be clearly separated: FICA documents are what customers provide to banks, and FICA compliance obligations are what certain categories of business must maintain internally. Understanding this distinction is the first step toward knowing whether your business is directly affected.

What FICA is

FICA is an abbreviation for the Financial Intelligence Centre Act 38 of 2001 as amended. The Act was instituted to fight financial crime such as money laundering, fraud, tax evasion, terrorist financing activities and identity theft.

The Act was amended in 2017 to bring South Africa in line with international standards set by the Financial Action Task Force (FATF). The Financial Intelligence Centre — the FIC — is the government body that administers FICA.

Who is subject to FICA compliance obligations

FICA applies specifically to “accountable institutions” — categories of business defined in Schedule 1 of the Act. Categories include: banks, estate agents, legal practitioners, financial services providers, credit providers, crypto asset service providers, high-value goods dealers, and trust and company service providers.

In the SME context, the most commonly affected are: accountants and bookkeepers who provide trust and company services, attorneys, estate agents, FSPs, credit providers, high-value goods dealers (motor vehicles, jewellery, art), and crypto asset service providers.

If your business does not fall within one of these categories, you are not directly subject to FICA compliance obligations.

The seven core FICA compliance obligations

1. Register with the FIC — within 90 days from commencement of operations via goAML at fic.gov.za. Failure to register: fine up to R10 million.

2. Appoint a Compliance Officer — formally appointed by senior management or board. The compliance officer is responsible for overseeing your business's AML/CFT programme and reporting obligations.

3. Develop and implement a Risk Management and Compliance Programme (RMCP) — tailored to your specific business, regularly reviewed and updated. The RMCP must address your institution's particular risk profile and operating environment.

4. Apply Customer Due Diligence (KYC) — a risk-based approach to verify the identity of clients before establishing business relationships. This includes collecting identification documents, verifying information against independent sources, and applying enhanced due diligence for higher-risk clients.

5. Screen against sanctions lists — UN Security Council lists and domestic designation lists. Screening must occur before onboarding and on an ongoing basis throughout the business relationship.

6. File regulatory reports with the FIC — Cash threshold reports (transactions exceeding R49,999.99), terrorist property reports, and suspicious and unusual transaction reports via goAML.

7. Maintain records and provide staff training — records kept a minimum of five years, with ongoing AML/CFT training for employees. Training must be documented and updated to reflect changes in legislation and risk profiles.

The connection between FICA and Beneficial Ownership

The beneficial ownership mandate exists in large part because of FICA and FATF requirements for transparency. When accountable institutions perform customer due diligence on company clients, they must verify not just registration details but ultimate beneficial owners.

South Africa's placement on the FATF grey list accelerated the implementation of these requirements. The beneficial ownership filing at CIPC is now a mandatory compliance obligation for all companies — and accountable institutions must verify this information as part of their KYC process.

Penalties for non-compliance

The penalties for failing to comply with FICA obligations are severe. Natural persons face fines of up to R10 million. Legal persons face fines of up to R50 million. The FIC may also publicly name non-compliant institutions — a reputational consequence that can be as damaging as the financial penalty itself.

In the most severe cases, penalties can reach up to R100 million and include imprisonment. These are not theoretical maximums — the FIC has actively pursued enforcement actions against non-compliant accountable institutions in recent years.

The difference between being subject to FICA obligations and providing FICA documents

When your bank asks for “FICA documents” they are meeting their own FICA obligations — you are their client. They are performing customer due diligence on you as required by the Act.

If your business is a general trading company, manufacturer, retailer, or any other category not listed in Schedule 1, your direct FICA obligation is simply to provide accurate identity verification information when requested by an accountable institution. You do not need to register with the FIC, appoint a compliance officer, or develop an RMCP.

Frequently asked questions

My business is a sole proprietor offering bookkeeping services. Am I an accountable institution?

Accountants and bookkeepers are listed as accountable institutions when they provide trust and company service provider activities — such as forming companies, acting as nominee directors, or managing client funds. If you are purely doing bookkeeping without offering these services, the position is less clear. Seek specific advice from a compliance specialist.

I am a high-value goods dealer. What is the cash threshold I need to report?

Cash threshold reports are required on transactions exceeding R49,999.99. These reports must be filed with the FIC via the goAML platform.

My bank keeps asking for updated FICA documents. How long are they valid?

There is no fixed validity period for FICA documents. Banks refresh their customer due diligence periodically based on their own Risk Management and Compliance Programme. The frequency depends on your risk profile as a client.

How do I register with the FIC as an accountable institution?

Registration is free and done online through the goAML platform at fic.gov.za. You must register within 90 days of commencing operations as an accountable institution.